How to help your family stay more secure online

Many of us travel during the holidays to visit family, have them visit us, or at least touch base with those we haven't talked to in a while. One of the kindest gifts you can give beyond your own company and a new blender is to help relatives sort out online password and security problems that they may not even know they have.

The trick is to balance knowledge, agency, and capability. Don't set up your 97-year-old grandfather with a two-factor authentication approach unless he both wants it and can, unaided, use it. Likewise, your 22-year-old daughter living away from home after college might appreciate mom's password advice, but she might not take it to heart unless you share your own story of woe--and maybe pick up the cost of password-management software.

You may think this is a problem afflicting only older people--and for you, "older" might include people younger than me, a 40-something tech veteran. But I've increasingly found that teenagers up to those in their 20s can be surprisingly computer illiterate about matters we oldsters think are baseline, because modern OSes and other tools haven't required that they master the details to have effective access. Don't assume your niece or son-in-law is making smarter security decisions than mawmaw. (Mawmaw may have programmed mainframes for most of her working career, anyway.)

Of course, if you're asked for help, the sky's the limit in how well you can lock down somebody else's stuff. Just remember that you're the one they'll call when they can't unlock it.

Fresh passwords and keeping track

Picking unique, strong passwords for each service we interact with is the best plan. But you know very well that about 95 percent of your family members--unless they have computer-science degrees or work at companies that educate employees well about security--use "123456" or their child's or pet's name as their way in everywhere. (Replacing letters with common numbers or symbols doesn't help--"p@ssw0rd" is just as crackable as "password".)

Since the Target data breach in 2013 and after numerous well-covered security and privacy debacles in 2014, humans who normally could not care a whit about the integrity of their online identities and information are open to discussion. Some may have thrown in the hat and refuse to worry about it assuming there's way to be safe, of course, but others want a solution.

The simplest offer you can make is to help a relative come up with at least one strong, pronounceable password that doesn't entirely use words found in a dictionary and is sufficiently long. Using password software, I just generated the 14-character "spaj-i-odd-ord", which is acceptable at most sites. (I used 1Password for that. You can also turn to Keychain Access in Applications/Utilities: select File > New Password Item, and then click the key icon to choose among formulas.)

If your relation is comfortable with it, you can create the password with them and retain a copy of it in case they lose it later. A common rule is never to write one's password down, but that applies to people who are in a situation where other people regularly have access to their computer. Even if that's the case, writing it down somewhere where your flesh and blood or in-law knows to look later, but which isn't obvious or easily findable, is a good rule.

Then work with them to change their current password at every site they routinely use, especially banking, medical, or other financial sites. Even if they don't want you to know the password, you can help them think through where they have used the password. If a site has particular requirements, such as not allowing hyphens, removing hyphens or inserting a number should help, but have your relative write those variants down as well, preferably noting the exceptions.

Better still, for relations who have enough computer knowledge and moxie to deal with it, is to have them (or you) purchase and install 1Password or LastPass, which work on all the major desktop and mobile platforms. Both programs can generate strong passwords on demand, and offer browser plug-ins to allow filling in passwords on Web sites. In iOS, both offer iOS 8 extensions to fill in passwords within the Safari browser.

Because both packages have network-based synchronization, you can be an aid (again, with permission!) by being part of the synced set of systems for that relative's passwords. That can be as simple with 1Password as using a shared Dropbox folder to sync their password archive; or, in LastPass, for them to give you their account password, as LastPass has a Web app.

For an aged or ailing family member who has given you power of attorney in the case they are incapacitated, a shared set of their passwords can make it much easier to carry out tasks on their behalf and settle affairs.

Phishing, cc'ing email, and other monitoring

Scams are nothing new, but making sure your family is aware of how frequent the attempts are, even when they aren't sophisticated, is still critical. I have relations who cannot seemingly accept, even after being phished (having a spoof email lead them to a site at which they entered credentials for their email), that email messages can be forged as easily as someone could use a photocopy machine to invent an official-looking letter.

Older people are often targeted with a variety of online scams for several reasons: they tend to have more money more readily available; they are often, but certainly not always, less technically savvy; and as we age, our critical faculties may lag. And if someone has been scammed, they're often shy about discussing it with family or authorities, especially if they've been cheated out of money. Young people can also be remarkably credulous before they've made their way in the world, and may be equally embarrassed to talk about it.

Encourage family members to delete email (or report it as spam) that requests any personal or account information of any kind. Help them understand that no viable online service or financial institution will ever accept a credit-card number or ask for a password via email. You could also suggest they forward any such request to you for your evaluation, even though that increases your work load. Better that than help them recover from account hijacks. Particularly vulnerable relatives may agree to or ask that you have access to their email accounts to help them sort through nonsense.

Point them to resources in your state or at the federal level that they can refer to, such as Fraud Fighters at the Washington State Attorney General's site, or's online fraud information site. Bookmark the sites, too.

More insidious are look-alike sites that someone may be persuaded to visit by clicking a link in phishing email, or that their machines are redirected to after malware is installed. Those are harder to fight against. A recent study found that the best-composed fake pages could fool 45 percent of all visitors. But even the worst pages captured the belief of 3 percent of users. Telling relatives to type in addresses (like,,,, and the like) or use browser bookmarks that you can help them set up reduces some of the potential of being successfully phished.

Holidays are also a good time to make sure family members with Windows or Android devices have anti-malware/anti-virus software installed, to help deter some of the effects of clicking or tapping the wrong thing. Read the professional reviews, because there are so many options and lots of dubious review sites that receive commissions on sales. Some packages are outright purchases, while others require an automatically renewing subscription fee. (Attacks against Mac OS X have tended to be of the variety that cannot be caught in advance, although software like Little Snitch can help alert you to anything weird. iOS doesn't allow anti-anything software.) Some software will install browser plug-ins to alert or block even the most carefully composed forged site after it's been reported to a central registry.

You might also be able to help through remote access software on a desktop system. The service from LogMeIn (free for simple use) allows remote sessions--including remote control--without any prearrangement, just the installation of a tiny bit of software that you can guide the other party through. iTeleport for Mac OS X ($29.99) requires installation on any host computer and the use of a Google account login to tunnel through any intervening networks and allow remote access. (Back to My Mac is an option, but requires much more configuration and isn't terrific at crossing all network boundaries to make a connection.)

Nobody wants to have their accounts, finances, and private details exposed, but the cold, hard world is tough to navigate without a little help. You can be your family's digital lifesaver in just a well-spent afternoon.